Mass metadata storage law 'invalid' invasion of privacy

The European Court of Justice (CJEU) has declared that an EU directive which requires telecoms
companies to store the communications data of EU citizens for up to
two years is invalid and represents an invasion of privacy.

According to the court, the Data
Retention Directive represents "a wide-ranging and
particularly serious interference" with the fundamental rights to
respect for private life and to the protection of personal data,
and goes beyond what is deemed strictly necessary.

The directive was launched in March 2006 following the bombings
on public transport in London and Madrid. It was intended to help
authorities better investigate and prosecute serious organised
crime and terrorism. It forced telecoms companies to keep the
metadata of phone services -- the location they were made, the
person calling and the person receiving the call, how often they
called and at what time -- for between six and 24 months.

The case was taken to the CJEU after Ireland's High Court and
Austria's Constitutional Court asked it to examine whether the law
was in line with the Charter of Fundamental Rights of the EU. The
move followed a dispute in Ireland between a company called Digital
Rights Ireland and the Irish authorities regarding the legalities
of retaining this data. Meanwhile the Austrian court had a number
of actions brought to it, looking for the transposed version of the
directive in Austrian law to be annulled.

Today's ruling reveals that the data retained provide "very precise
information on the private lives of persons whose data are
retained, such as the habits of everyday life, permanent or
temporary places of residence, daily or other movements, activities
carried out, social relationships and social environments
frequented".

Not only did the court rule that the directive interferes with
rights to privacy, but also says: "The fact that data are retained
and subsequently used without the subscriber or registered use
being informed is likely to generate in the persons concerned a
feeling that their private lives are subject to constant
surveillance."

The court rules that by adopting the Data Retention Directive,
the EU legislation does not comply with the principle of
proportionality -- that is to say that the data collection is
disproportionate to the cause of public security and the
interference isn't limited to what is strictly necessary. This is
because it covers all individuals without any differentiation,
limitation or exception being made in light of the objective of
fighting against serious crime.

Secondly, the directive doesn't explain any objective criterion
that would ensure that the relevant national authorities would have
access to that data only for the purposes intended. In fact, the
directive refers simply to "serious crime" as defined by each
member state. Given that we have seen copyright infringement referred to as a
"serious organised crime", you can see where the worry stems
from.

The Court also found that the directive does not have sufficient
safeguards to ensure "effective protection of the data against the
risk of abuse" nor does it prevent any unlawful access to the
data.

Liberal Democrat MEP and Home Affairs Spokesperson in the
European Parliament Sarah Ludford was quick to comment on the news:
"This landmark judgement throws a spanner in the works
of increased state surveillance.

"It is a vindication of the Lib Dem rejection of this pernicious
Directive in 2005 that the EU's highest court has ruled it an
unjustified invasion of privacy and a breach of human rights.

"It chimes with the recent call by Liberal Democrats for a
'Digital Bill of Rights' and an end to government bulk collection
of data and the establishment by Nick Clegg of an independent
review into surveillance practices."

Updated 09/04/2014: Wired.co.uk asked
Nicola Fulford, Commercial Technology Partner at law
firm Kemp about what this means for the law in the UK.
She said: "The UK regulations which implemented the
Directive, the Data Retention (EC Directive) Regulations 2009, are
still in force, although of course they may now be open to
challenge in local courts (or be improved by new EU or local law
changes).

"Much law in this field focuses on a balance between the
interests of those wishing to process data (for example for
national security or business reasons), and the privacy impact to
the individuals concerned. Interestingly, in this decision,
the European Court of Justice has come down on the side of privacy
and not on free data collection, even for national
security."